|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [xen master] x86/hvm: Fix boundary check in hvmemul_insn_fetch()
commit 5a992b670bff697c40b513c9e037598ba35ca7d4
Author: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
AuthorDate: Tue Jul 25 19:48:43 2017 +0100
Commit: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Thu Jul 27 11:39:57 2017 +0100
x86/hvm: Fix boundary check in hvmemul_insn_fetch()
c/s 0943a03037 added some extra protection for overflowing the emulation
instruction cache, but Coverity points out that boundary condition is off by
one when memcpy()'ing out of the buffer.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
---
xen/arch/x86/hvm/emulate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/hvm/emulate.c b/xen/arch/x86/hvm/emulate.c
index 99fc4ca..087425f 100644
--- a/xen/arch/x86/hvm/emulate.c
+++ b/xen/arch/x86/hvm/emulate.c
@@ -958,8 +958,8 @@ int hvmemul_insn_fetch(
* Will we overflow insn_buf[]? This shouldn't be able to happen,
* which means something went wrong with instruction decoding...
*/
- if ( insn_off > sizeof(hvmemul_ctxt->insn_buf) ||
- (insn_off + bytes) > sizeof(hvmemul_ctxt->insn_buf) )
+ if ( insn_off >= sizeof(hvmemul_ctxt->insn_buf) ||
+ (insn_off + bytes) >= sizeof(hvmemul_ctxt->insn_buf) )
{
ASSERT_UNREACHABLE();
return X86EMUL_UNHANDLEABLE;
--
generated by git-patchbot for /home/xen/git/xen.git#master
_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |